Cloud providers unprepared for new EU data protection regulations

Darren Allan, 11th August 2014

A new piece of research claims that cloud service providers are poorly prepared for incoming EU regulations.

In fact, according to the findings of Skyhigh Networks, which took a fine-tooth comb to its CloudRegistry of some 7,000 cloud services, only one per cent of vendors meet the stipulations of the EU General Data Protection Regulation which is expected to come into play in 2015 (replacing the Data Protection Directive adopted in 1995).

The new legislation lays down regulations on data residency, encryption and security, and deletion policies along with the now notorious "right to be forgotten" ruling that was applied to Google (and other search engines).

In terms of data residency, only eleven counties currently comply with EU privacy requirements, and the US isn't one of them – and the States is where two-thirds of all cloud providers have their HQ.

Data breach notification is another thorny area, with the new laws requiring companies to notify EU authorities inside 24 hours of a data breach – even if the breach happens due to a third-party cloud provider. However, if the organisation doesn't spot the breach – as is often the case, with many cloud providers putting the onus on the company to do so – then reporting it so quickly will obviously be tricky to say the least.

Skyhigh notes that some existing laws such as the UK General Data Protection Regulation can allow a company to get round such a tight time limit on notification if their data is encrypted, but only 1.2 per cent of cloud providers offer the tenant-managed encryption keys required to do this.

Charlie Howe, Skyhigh Networks EMEA director, commented: "It's staggering how few cloud providers are prepared for the new EU regulations but, fortunately, there's still time for providers to get into shape. This means addressing a number of complex issues now, such as the right to be forgotten, as well as implementing data protection policies that meet these new standards."

He added: "For cloud providers this will inevitably require additional resources and expenditures, but it's a snip given the proposed penalties for violating the new laws, which can be up to five percent of a company's annual revenue or up to €100 million [$134 million]."